cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
7
Replies

Using "interface" as parameter in ASA ACL

jogillis
Level 1
Level 1

I have seen in a manual that you can use "interface (interface name)" as the source/destination in an ACL on the ASA. When would you do this? What exactly does it buy you i.e. what does it really give access to?

Exmple

access-list dmz permit tcp interface dmz host 10.1.1.1 eq http

What is actually getting access to 10.1.1.1 on port 80?

Thanks

Joel G.

7 Replies 7

suschoud
Cisco Employee
Cisco Employee

Joel,

Let me give u a complete example :

You have a server on inside of f/w which ppl need to access from outside.

you wnat to use f/w outside interface public ip address for this purpose.

as you cannot map the outside interface ip to an internal server,you would need a static pat command.let's assume it's a web server.

static (inside,outside) tcp interface 80 192.168.5.16 80

inside server's actual ip : 192.168.5.16

now,along with this static pat,you would need to allow port 80 specifically for " any " source and interface ip address as destination.

in this case,rather then mentioning interface ip add. in acl,use the interface keyword.

access-l outside_in permit tcp any interface outside eq 80

acecss-g outside_in in inter outside.

hTh

Sushil

TAC

Thank You. That example with "interface as the destination I understand, but where would you use the "interface" parameter as the source such as on a dmz.

Example

access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap

Thanks

Joel

Joel,

Actually, it's the same concept. When you have a public address that can change, but you host a web server on the inside, your outside acl needs to allow someone into that address. You don't want to change the address each time your address changes, so you use the interface keyword instead of an address:

static (inside,outside) interface 192.168.1.50

access-list outside permit tcp any interface eq 80

HTH,

John

HTH, John *** Please rate all useful posts ***

m notsure why u would need an acl where source is interface.

the interface initiated traffic is mostly management traffic and we do not restrict it using acl's.acl's are used for traffic passing THROUGH the f/w,not TO or FROM it.

i have never come across a situation wherein source is specified as interface ip.....

jogillis
Level 1
Level 1

Thank everyone for the examples. I understand why you would use this as the destination especially if you were using DSL where the outside interface could change. But using it as the source still has me stumped. The reason I ask it that we are moving a DMZ from one company to ours and the access-list for their dmz has such statements in it.

Joel G.

m pretty sure there won 't be any hitcounts on that acl.

check

sh access-l

According to your example,

access-list DMZ-to-Lan permit tcp interface dmz 10.x.x.x eq ldap

Are there any security restrictions on the ldap server that require traffic to come from the address that's assigned to the dmz interface? It *might* be an ldap security thing where they didn't want everything in the dmz talking to it OR they are making requests on behalf of everything in the dmz? Just a thought.

HTH,

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: